chore: bump lycheeverse/lychee-action from 2.5.0 to 2.9.0#3319
chore: bump lycheeverse/lychee-action from 2.5.0 to 2.9.0#3319dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.5.0 to 2.9.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](lycheeverse/lychee-action@v2.5.0...v2.9.0) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-version: 2.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
tangletools
left a comment
There was a problem hiding this comment.
🟢 Value Audit — sound
| Verdict | sound |
| Concerns | 0 (none) |
| Heuristic | 0.0s |
| Duplication | 0.0s |
| Interrogation | 21.2s (2 bridge agents) |
| Total | 21.2s |
💰 Value — sound
Routine single-line bump of the lychee link-checker GitHub Action from v2.5.0 to v2.9.0, consistent with the repo's established dependency-update pattern.
- What it does: Updates the pinned version of lycheeverse/lychee-action in the
linksjob of.github/workflows/check-lint.yml:81fromv2.5.0tov2.9.0. This pulls in the underlying lychee v0.24.x engine (was v0.23.0), adding line/column diagnostics, text-fragment (#:~:text=) checking, sitemap.xml input support, and JUnit output. - Goals it achieves: Keep the docs link-checking CI step on a current, maintained version of its only tool. Prevents drift/staleness and gains more precise broken-link reports (line/col numbers) for the markdown/html/rst files the job scans.
- Assessment: Good change. It's a one-line version bump of a third-party action used in exactly one place, matching the repo's documented history of regular lychee bumps (2.3.0→2.4.0 in #2943, 2.4.0→2.5.0 in #3049, visible in apps/tangle-dapp/CHANGELOG.md:17 and libs/ui-components/CHANGELOG.md:70). The pin-to-exact-tag style (rather than floating
@v2) is the more reproducible choice and is already in use here - Better / existing approach: none — this is the right approach. Searched the repo (grep
lychee) and confirmed the action is referenced in exactly one workflow file with no alternate link-checker present, so there is nothing to deduplicate or extend. - Model: opencode/zai-coding-plan/glm-5.2
- Bridge attempts: 2
- Bridge warning: opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content
🎯 Usefulness — sound
Routine, recurring bump of the only link-checker action in the repo; immediately reachable on every PR and wired identically to prior accepted bumps.
- Integration: The bumped action at .github/workflows/check-lint.yml:81 is invoked by the
linksjob (check-lint.yml:69-87), which triggers on all pull_request events to develop/master/feature/** (check-lint.yml:4-5) plus workflow_dispatch. It is the single consumer of this action in the repo (grep found one workflow reference). Immediately exercised on the next PR. - Fit with existing patterns: This is an established maintenance pattern: CHANGELOG.md entries in apps/tangle-dapp and libs/ui-components record prior accepted bumps (2.3→2.4 via #2943, 2.4→2.5 via #3049). No competing link-checking capability exists in the repo. The args/exclude-path/fail/env inputs are unchanged and remain valid for v2.9.0.
- Real-world viability: The action runs in a fresh CI runner per PR with no concurrency or state concerns. The v2.9.0 release specifically adds automatic handling of lychee v0.24.x's new subdirectory archive layout, which is the realistic failure mode it needed to cover;
fail: trueand GITHUB_TOKEN wiring are unchanged. Happy path and the known packaging edge case are both handled upstream. - Model: opencode/zai-coding-plan/glm-5.2
- Bridge attempts: 1
No concerns — sound change, no better or existing approach found. ✅
What this audit checks
It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.
| Pass | What it asks |
|---|---|
| Heuristic | Vague title? Whitespace-only or cruft-bearing diff? (content signals only) |
| Duplication | Do added function/class names already exist elsewhere in the repo? |
| Value Audit | What does it do? What goal does it achieve? Is it good? Better architecture or already-exists? |
| Usefulness Audit | Does it integrate and fit? Will it hold up in real use and actually get used? |
Findings are concerns, not blocks — the human reviewer decides what to do with them.
✅ No Blockers —
|
tangletools
left a comment
There was a problem hiding this comment.
✅ Approved — 1 non-blocking finding — 2983ad28
Full multi-shot audit completed 1/1 planned shots over 1 changed files. Global verifier still owns final merge decision.
Full immutable report for this review: trace
Summary comment for this run: full summary
tangletools · 2026-07-13T19:36:10Z · immutable trace
Bumps lycheeverse/lychee-action from 2.5.0 to 2.9.0.
Release notes
Sourced from lycheeverse/lychee-action's releases.
... (truncated)
Commits
e747777Bump actions/cache from 5 to 6 (#340)39066c6Bump actions/checkout from 6 to 7 (#339)6da1d14Install into $RUNNER_TEMP instead of $HOME (#338)a63497cfixes #322 check for null (#336)b40e218[create-pull-request] automated changefaea714bump default to 0.24.1 and auto-detect lychee bin in subfolder (#330)8646ba3Add message with Summary report URL (#326)c6e7911[create-pull-request] automated change631725aBump peter-evans/create-pull-request from 7 to 8 (#318)942f324Bump actions/cache from 4 to 5 (#319)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)